Cross-site Scripting (XSS) - Stored in munafio/chatify

Valid

Reported on

Jul 4th 2021

✍️ Description

A Laravel package helps you add a complete real-time messaging system to your new / existing application with only one command this package is vulnerable for xss

🕵️‍♂️ Proof of Concept

poc

💥 Impact

This vulnerability is capable of admin ac takeover

We have contacted a member of the munafio/chatify team and are waiting to hear back 2 years ago
Munaf Aqeel Mahdi validated this vulnerability 2 years ago
Abdul muhaimin has been awarded the disclosure bounty
The fix bounty is now up for grabs
Munaf
2 years ago

Maintainer

can you please show me the way you did that? the file? share it with me

Abdul muhaimin
2 years ago

Researcher

Sure, actually the script was inside file name in here I just renamed a file to "'><img id=x onfocus=alert(1)>.png"

Munaf
2 years ago

Maintainer

No, It's not as in your review! I know that the bug occurs because of the file name, which can cause an XSS issue. so I renamed an image to show an alert message (onerror) not onfous :)

Abdul muhaimin
2 years ago

Researcher

My bad I just copied it :P

Munaf Aqeel Mahdi marked this as fixed with commit 476d84 2 years ago
Munaf Aqeel Mahdi has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation